Durable Cryptographic Keys

1. A computer-implemented method, comprising: receiving, at a request processing unit, an application programming interface request for a durable cryptographic key; obtaining a first cryptographic key to be the durable cryptographic key; determining a durability duration; selecting, based at least in part on the durability duration, a public cryptographic key, the public cryptographic key selected from a plurality of public cryptographic keys, the plurality of public cryptographic keys having a corresponding set of private cryptographic keys stored in an offline repository; using the selected public cryptographic key to generate an encrypted first cryptographic key, the encrypted first cryptographic key being decryptable using a private key, from the set of private cryptographic keys, the private cryptographic key being scheduled to be destroyed at a future time corresponding to the end of the durability duration; providing the encrypted first cryptographic key for persistent storage; and making the first cryptographic key available, in response to the request processing unit authenticating the application programming interface request, for use for an amount of time that ends after the future time corresponding to the durability duration.

2. The computer-implemented method of claim 1 , wherein the durability duration is encoded in a parameter in the application programming interface request.

3. The computer-implemented method of claim 1 , wherein making the first cryptographic key available for use comprises associating the first cryptographic key with an identifier that is specifiable in application programming interface requests to perform cryptographic operations using the first cryptographic key.

4. The computer-implemented method of claim 1 , further comprising using the first cryptographic key to generate an encrypted backup of data.

5. A system, comprising: memory to store instructions which, if executed by one or more processors of the system, cause the system to at least: obtain, as a result of a call to a request processing unit associated with an application programming interface, a first cryptographic key; determine a durability duration for the first cryptographic key; select, based at least in part on the durability duration, a second cryptographic key from a set of cryptographic keys stored in an offline repository each having a corresponding expiration; use the selected second cryptographic key to encrypt the first cryptographic key such that: for a first amount of time corresponding to the durability duration, the first cryptographic key is recoverable from the encrypted first cryptographic key; after the first amount of time has passed, the first cryptographic key is irrecoverable from the encrypted first cryptographic key; and the second cryptographic key is scheduled to be destroyed at or after completion of the durability duration; and make the first cryptographic key available, in response to the request processing unit fulfilling the call to the application programming interface, for use for a second amount of time that ends after the first amount of time corresponding to the durability duration has passed.

6. The system of claim 5 , wherein the second cryptographic key is a public cryptographic key corresponding to a private cryptographic key stored in the offline repository.

7. The system of claim 5 , wherein the instructions, if executed by one or more processors of the system, further cause the system to: determine the durability duration from a parameter in the call to the application programming interface.

8. The system of claim 5 , wherein the instructions, if executed by one or more processors of the system, further cause the system to: receive a request to extend durability of the first cryptographic key; determine a second durability duration that ends after the durability duration; select, based at least in part on the durability duration, a third cryptographic key from the set of cryptographic keys; and use the selected third cryptographic key to encrypt the first cryptographic key.

9. The system of claim 5 , wherein the instructions, if executed by one or more processors of the system, further cause the system to: make the first cryptographic key available for use by enabling the first cryptographic key to be specified in application programming interface requests to cause cryptographic operations to be performed using the first cryptographic key.

10. The system of claim 9 , wherein the first cryptographic key is specifiable to distinguish from a plurality of other cryptographic keys.

11. The system of claim 5 , wherein the instructions, if executed by one or more processors of the system, further cause the system to: use the first cryptographic key to generate backup objects of other data.

12. The system of claim 5 , wherein the instructions, if executed by one or more processors of the system, further cause the system to: cause the second cryptographic key to be destroyed in accordance with its expiration.

13. The system of claim 5 , wherein the instructions, if executed by one or more processors of the system, further cause the system to: write the encrypted first cryptographic key to a non-overwriteable data storage medium.

14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least: obtain, at a request processing unit, as a result of a call to an application programming interface, a first cryptographic key; determine a durability duration; encrypt the first cryptographic key such that the first cryptographic key is decryptable using a second cryptographic key obtained from an offline repository, the second cryptographic key managed so as to ensure a limited lifetime for the second cryptographic key, wherein the limited lifetime indicates that the second cryptographic key is scheduled to be destroyed at a future time corresponding to the durability duration; and make the first cryptographic key available, in response to the request processing unit fulfilling the call to the application programming interface, for use for a period of time that ends after the limited lifetime for the second cryptographic key corresponding to the durability duration.

15. The non-transitory computer-readable storage medium of claim 14 , wherein: the second cryptographic key is a private cryptographic key corresponding to a public cryptographic key; and the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to select, based at least in part on the durability duration, the public cryptographic key.

16. The non-transitory computer-readable storage medium of claim 14 , wherein the second cryptographic key is from a plurality of private cryptographic keys, each with a corresponding expiration, stored in the offline repository.

17. The non-transitory computer-readable storage medium of claim 14 , further comprising instructions that, when executed by the one or more processors and as a result of a request to extend durability of the first cryptographic key, cause the computer system to: select, based at least in part on a second durability duration, a third cryptographic key, the third cryptographic key being scheduled to be destroyed after the second cryptographic key; and encrypt the first cryptographic key to be decryptable using the third cryptographic key to encrypt the first cryptographic key.

18. The non-transitory computer-readable storage medium of claim 17 , wherein: the first cryptographic key, decryptable by the second cryptographic key, is encrypted with one or more restrictions associated with the first cryptographic key; the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to verify that extending durability of the first cryptographic key complies with the one or more restrictions; and the instructions that cause the computer system to encrypt the first cryptographic key to be decryptable using the third cryptographic key, when executed by the one or more processors, cause the computer system to encode at least one of the one or more restrictions with the first cryptographic key.

19. The non-transitory computer-readable storage medium of claim 14 , wherein the instructions that cause the computer system to encrypt the first cryptographic key, when executed by the one or more processors, cause the computer system to encrypt, with the first cryptographic key, one or more restrictions associated with the first cryptographic key.

20. The non-transitory computer-readable storage medium of claim 14 , wherein the instructions that cause the computer system to make the first cryptographic key available for use, when executed by the one or more processors, cause the computer system to make the first cryptographic key specifiable by an identifier in the call to the application programming interface to cause the computer system to fulfill the call to the application programming interface by at least performing a cryptographic operation using the first cryptographic key.

21. The non-transitory computer-readable storage medium of claim 14 , wherein the instructions that cause the computer system to make the first cryptographic key available for use, when executed by the one or more processors, cause the computer system to provide a copy of the first cryptographic key to another computer system.